SIP/RTP + NAT - One way audio


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L1 Bithead

Unfortunately, our old 3COM VCX doesn't have all those fancy options.. I'm anticipating our switch to NEC Spherical in the near future..
Until then, I'm stuck trying to fiddle with App Override and NAT rules. I've been working with Palo Alto for a few weeks now and we've still have no luck getting audio to enter the network from outside the firewall. Audio has no problem exiting, though.

Not applicable

Having been jumping on this for a while - I think that I finally have found out what the (/&%(/&¤&% goes on.

Fortunately one of our SIP trunk providers allows you to change the codec and ho and below I found that:

G711U - works

G711A - works

GSM-FM - works

G729 - DOES NOT WORK !!!!!

So. If your provider is using G729 - then this is likely why it doesn't work.

You need to have the provider to set G711U/A as prefered codec AND you need to set the G711U/A as prefered codec on the SIP trunk on the 3CX.

It seems (according to my test) - that if the provider is set to G729 it doesn't matter what you set - it just won't work.

Please let me know if you can confirm my latest finding.



L1 Bithead

Hi everybody.

We're having problems with NAT for RTP. In our configuration, we've created a static NAT rule(as described above) for our CallManager. That works fine.

The problem is with telephones. They must communicate with our provider (public IP's) so we created a NAT rule type Dynamic-IP-and-Port, so our telephony subnet shares a single public IP. SIP session is created and negotiated correctly. The problem comes with RTP traffic, and, the worst thing: only with some telephones (nothing in common between them). If we reload the firewalls, everything works fine, but, after a time, some telephones doesn't work: one-way audio (incoming audio doesn't work). It seems a problem with NAT, because, after a time, Firewalls stop doing NAT, using for the sessions the private IP address of the phones; then, obviously, provider isn't able to respond to a private IP address.

I've checked this with tcpdump captures and we cannot explain this behaviour of the firewalls. Maybe the NAT table is full?

Could you help me please?

L1 Bithead

Hi again.

I've seen the failed NAT and when it happens:

This is a connection RTP from  a phone to our telephony provider, and it works:

67130 rtcp           ACTIVE FLOW  NS[3001]/LAN/17  ([2940])

vsys1[23639]/INTERNET  ([23639])

But, after that, another connection using the same source port, it doesn't work:

127233 rtcp           ACTIVE FLOW[3001]/LAN/17 ([3001])

vsys1[21789]/INTERNET  ([21789])

Most of the situations: it fails with ports 3000 and 3001.

Thank you.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!